Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

LovSan Clone Let Loose

CowboyNeal posted more than 11 years ago | from the coming-around-again dept.

Windows 631

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Sorry! There are no comments related to the filter you selected.

frosty (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701690)

have a nice cold glass of post

Don't forget... (-1)

SCO$699FeeTroll (695565) | more than 11 years ago | (#6701760)

...to buy your $699 license fee you fat, greasy cock-smokers.

Re:Don't forget... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701917)

I told you, I only use Microsoft, and cock-smoking is free where I come from(San Francisco).

Re:Don't forget... (0)

Anonymous Coward | more than 11 years ago | (#6701969)

So is AIDS.

Cloning.. (5, Funny)

Stalus (646102) | more than 11 years ago | (#6701701)

Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

Re: Cloning.. (5, Funny)

Black Parrot (19622) | more than 11 years ago | (#6701727)


> Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

The scary part is that if they mutate and interbreed we could end up with a virus with four asses.

Re: Cloning.. (-1, Troll)

Raven42rac (448205) | more than 11 years ago | (#6701907)

Ok, the original writer is an asshole, the guy who copied it is a mega asshole. That would be like saying, "you know AIDS isn't deadly enough, I think I should make it better!"

Re: Cloning.. (2)

Gherald (682277) | more than 11 years ago | (#6701935)

Well he probably thinks of it as an "improvement."

Re: Cloning.. (0, Redundant)

Raven42rac (448205) | more than 11 years ago | (#6701946)

I think we all agree that outside or a research environment, virus/worm writing is the lowest form of geekery.

Re: Cloning.. (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6701941)

If AIDS became deadlier, and faster to kill, maybe it would help slow its spread. After all if you die a day after contracting it, only necropheliacs would get it. And I think we can all agree that necropheliacs deserve what they get. Are you with me here !?

Re: Cloning.. (0)

Raven42rac (448205) | more than 11 years ago | (#6701963)

Totally.

Re:Cloning.. (0)

Anonymous Coward | more than 11 years ago | (#6701740)

Don't let the legislature get wind of this story.. They'll try to use it as justification to ban cloning.

Which would be terrible since this is such a good example of the positive contributions that cloning will make to society.

That's media reporting for ya (4, Insightful)

NanoGator (522640) | more than 11 years ago | (#6701711)

"It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems."

To be fair, the media's not going to be interested in reporting that it's not as bad as it seems.

(Note: I'm not saying it's not that bad, I'm saying don't trust the media to tell is its dying.)

Re:That's media reporting for ya (1)

interiot (50685) | more than 11 years ago | (#6701794)

Maybe I'm confused, but how does "no real end in sight" indicate that the worm is dying?

Re:That's media reporting for ya (1)

ihummel (154369) | more than 11 years ago | (#6701880)

That's the point he was trying to make: he doesn't think the media would tell him if it were dying. Just because they say there's no end in sight doesn't necessarily make it so.

gotta say it (2, Interesting)

minus_273 (174041) | more than 11 years ago | (#6701713)

Bill gates, why do you let this happen? any coincidence that the attack is exactly 1 month to the day that the hole was announced..

Lights go out for *BSD (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701717)

Blackout kills *BSD life-support

It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major marketing surveys show that *BSD has steadily declined in market share. *BSD is extremely sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.

Fact: *BSD is dying

BSD is dying, but Idi Amin is Getting Better! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701895)

Idi Amin, the so-called "Butcher of Africa" has come out of his coma, but is now seeking a kidney donation. Amin is currently living via the aid of a haemo-dialysis machine.

Semi-literate boxer turned Ugandan despot and cannibal, under whose reign up to 400,000 people were killed or made to disappear is currently living in secrecy in Saudi Arabia, protected by his entourage. Prior to his 1979 overthrow, Amin forced some 70 thousand Asians in Uganda to leave the country, and abandon their businesses, accelerating chaos.

It was once reported that Amin eats 40 oranges a day, to "keep up his sex power." It is still uncertain whether he will be allowed to be buried in Uganda.

It is quite ironic that this man who once relished torture and death now faces his own. If he had only had the foresight to not kill as many people, he might not have had to face such a difficulty in finding a donor. Alas, hindsight it 20/20. Please consider that since his exile however, Amin has converted to Islam. Remember that Allah forgives, and please consider donating one of your kidneys to this very large mass-murderer today!

Fact: Idi Amin needs a kidney.

And while you all get easy 5, funnies. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6701719)

Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true.

Re:And while you all get easy 5, funnies. (5, Insightful)

NanoGator (522640) | more than 11 years ago | (#6701741)

"Linux has its own problems. But you mod them -1 under the rug until the fsf site gets hax0red. troll but true. "

That was true like a year or two ago, but since this has come up I've been amazed at how things have changed here. It's not that it's turning pro-Microsoft, but the "Everything Linux does is perfect" attitude has settled back down to realistic levels.

I agree with you, though, Linux is a root password away from being ssh'd to hell.

Re:And while you all get easy 5, funnies. (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6701846)

Point taken, but badly stated. The FSF cracking incident was due to an application that runs on Linux, and does not ship with most Linux distributions--it has to be intentionally downloaded and installed.

So are we going to start adding all securities in third-party apps that run on Windows to the "Windows vulnerability" list? That's crazy.

Linux is a kernel, yes. But the fact that it's available in that form if that's all you want is an advantage, not a technicality. Try getting Windows without a GUI, or SMB.

Re:And while you all get easy 5, funnies. (1, Insightful)

ihummel (154369) | more than 11 years ago | (#6701850)

Is anything that doesn't forbid remote access *not* a root/sysadmin password away from being ssh-ed (or whatevered) to hell?

Re:And while you all get easy 5, funnies. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701981)

How was the parent flamebait? The BMFH strikes again.

Let's see here (3, Insightful)

Anonymous Coward | more than 11 years ago | (#6701765)

  • FSF FTP site gets hacked. Some people are mined for passwords.
  • A significant proportion of all desktop machines on the internet are compromised by a self-propigating virus, and the internet is affected by the sheer quantity of traffic generated by the worm.
I think there's a slight difference of scale there.

Re:Let's see here (3, Interesting)

Frenchy_2001 (659163) | more than 11 years ago | (#6701900)

There is also a difference of scale in the sheer number of computers running the infected software. Outside of /., what is the percentage of people running anything else than windows on their desktop? Moreover, what are the technical competencies of those people? M$ tried to make the update process as painless as possible through their windows update website, but it seems to me that it is STILL a failure. 300k+ computers already infected? I cant believe this is ONLY NT4 machines with no auto updates...

Re:And while you all get easy 5, funnies. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701852)

Modding this as troll shows just how insecure slashdot readers are to security problems in OSS.

Already slow as hell, so just in case... (3, Informative)

Anonymous Coward | more than 11 years ago | (#6701721)

Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").

Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.

Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.

Nice Troll (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6701818)

Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results faggot" In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web

It's a little fishy (4, Insightful)

Exiler (589908) | more than 11 years ago | (#6701723)

that an antivirus lab announced that a new clone was on the way, not spreading but on the way.

Re:It's a little fishy (1, Funny)

Anonymous Coward | more than 11 years ago | (#6701745)

Woot, new way to make money:
1. Capture virus
2. Rerelease it so it's harder to stop, harder to detect and more harmful
3. PROFIT!!!

Exactly. (3, Interesting)

jpsowin (325530) | more than 11 years ago | (#6701889)

Yes, and notice that their anti-virus program detects both versions of the virus (the old and the "expectant" one) without even an UPDATE? Hmmmm... ;)

Feeling left out (5, Funny)

cesman (74566) | more than 11 years ago | (#6701724)

I'm starting to feel left out.. Maybe I'll install Windows on a box and join the fun.

Defeating MSBLAST.EXE and The Blaster Worm (2)

nomadx (670199) | more than 11 years ago | (#6701888)

christ, right after i wander over to symantec's website to see what this thing really is. the few friends of mine that i've talked to about this, they told me it was some kind of security breaching attack against a system, and that msblast.exe is the program that a hacker can use to remotely control a pc, perhaps to host an ftp server or some other hoopla. then i received some distressful emails from the ITS department at my university, saying many of the computers have been infected but are now isolated in an attempt to control the spreading of this thing. then yesterday, i was at work and in the course of only three hours i had two people come up to me asking about antivirus software (i work in retail) - they were infected. i wasn't sure what to make of this new threat at that point, so i told them that norton may or may not be able to help. then when i got home and checked out what symantec had to say, all the documentation was already done on this new strain of worm. so it is, after all, a destructive worm that reproduces itself, no hacking involved. i read the whole thing, and then i read microsoft's security bulliten (which is more vague, the only important thing it has to say is that you need to patch your os and tells you where to get the patch). so it's simple. just patch your os, update virus defenitions. and run fixblast.exe courtesy of symantec. designed to remove any threat. i have already helped one person by personally removing the virus from her system by using that simple sweeping program, which simply scans your computer for the registry keys and msblast.exe and removes it if found. it was pathetically easy. and symantec's documentation backs me up on this; it is very easy to remove using their tool, not as easy but still not challenging to do it manually either (instructions are that are also available). today i received another email from ITS, a new strain is out, and all the computers on the network are preparing for a massive DOS attack against windowsupdate.microsoft.com (not sure if that address is correct, tell me if i'm wrong). how they know this or why someone would want to do something so completely insane with this worm is beyond me. the point being, it can easily be fixed, and thanks to dedicated teams like symantec, virus threats can be kept to a minimum in combination with prevention awareness.

Re:Defeating MSBLAST.EXE and The Blaster Worm (0)

Anonymous Coward | more than 11 years ago | (#6701952)

That has got to be the mose illegible post I've seen all week long.

Re:Feeling left out (5, Funny)

alonsoac (180192) | more than 11 years ago | (#6701899)

No seriously, I once was regarded by friends and family as the guy who could fix their computers. Now they call like crazy saying their PC is rebooting and I don't know what the hell they are talking about. Then I read about the virus and tell them what to do but of course I wouldn't know if it will work (or why it didn't work) since I dont have an infected machine to try it. This has made me look like an idiot plus I'm here working all day while my friends enjoy a couple days of forced vacations while someone has time to fix their machines. Grrrr..

Re:Feeling left out (1)

Gherald (682277) | more than 11 years ago | (#6701971)

You could have just killed everything in task manager named svchost.exe, which would emulate the virus' symptoms...

Related? (0)

Anonymous Coward | more than 11 years ago | (#6701725)

windowsupdate.com is down.

Re:Related? (0)

Anonymous Coward | more than 11 years ago | (#6701769)

Well, Besides the fact that it's windowsupdate.microsfot.com. No!

Microsoft only sells software. (0)

Anonymous Coward | more than 11 years ago | (#6701781)

"windowsupdate.com is down."

You can't expect Microsoft to know anything about computer hardware, and prepare for something like this in advance. They only sell software.

Ugh, lazy patchings (4, Interesting)

AEton (654737) | more than 11 years ago | (#6701728)

The RPC vulnerability this worm exploits was patched at least three weeks ago. Maybe if people would get it through their skulls that Windows ships with a BIG WINDOWS UPDATE LINK [microsoft.com] in the Start Menu for a REASON, and maybe if people would at least check for new, fun things weekly, these viruses wouldn't spread quite so far. The news outlets that focus on the "horrific" damage instead of the easy fix are doing their subscribers a disservice.

Besides, even if you don't care about security, you must at least admit it's fun to see a new "This vulnerability could allow an attacker to execute malicious code"-patch every week. I wonder what'll happen when Microsoft's numbering system overflows...

Re:Ugh, lazy patchings (5, Interesting)

Doppler00 (534739) | more than 11 years ago | (#6701763)

Actually, I'm wondered why the heck RPC service is allowed to be exposed to the internet interface in the first place. There is absolutely no good reason for Microsoft to design it this way. Sure, I could understand it being useful for corporate networks, but to leave it on and not allow you to turn it off is ridiculous.

This isn't so much about security as it is poor design on the part of microsoft leaving so many useless services exposed to the internet.

Re:Ugh, lazy patchings (2, Insightful)

KshGoddess (454304) | more than 11 years ago | (#6701905)

We were infected by someone dialing in to (of all places, MSN) and opening an *authorized* VPN tunnel to our network.

Users will not patch their machines, even if there's a bright icon in their start menu. Even if it reminds you all the damn time. If it doesn't automagically download and install, they're not going to do it.

Should they have to? No. No one should have to patch as often as they do. Especially not desktops. Home users, for the most part, are technically savvy enough to plug in a USB device and have it 'work'. Office users, forget about it. For the most part, people think computers are magic, and IT people are just weird to be able to understand them.

Re:Ugh, lazy patchings (0)

Anonymous Coward | more than 11 years ago | (#6701925)

You're wondering why a REMOTE Procedure Call service is exposed to the network? There's no good reason for a REMOTE Procedure Call to be exposed to the network?

And yes, it's a service, so it can be turned off if you really want to.

Please stop smoking the crackrock.

Re:Ugh, lazy patchings (1)

BradleyUffner (103496) | more than 11 years ago | (#6701937)

RPC can be turned off in windows. But finding the setting is just one step above editing the registry.

Re:Ugh, lazy patchings (1)

dtfinch (661405) | more than 11 years ago | (#6701939)

They leave all those ports open and services running so that when someone on the outside tries to access a feature that hasn't been enabled yet, it'll be able send back "Access Denied" in a friendly fashion rather than just refusing the connection.

Or at least that how I imagine they would try to explain it.

Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet. It's probably not worth the effort to investigate further and correct, but it bugs me a little.

Re:Ugh, lazy patchings (1)

Ryosen (234440) | more than 11 years ago | (#6701865)

>> I wonder what'll happen when Microsoft's numbering system overflows...

Credit MS with a little bit of insight. They increase the data type for the numbering to a double a long time ago. ;)

OMG OMG OMG!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6701732)

im a lunix hippie and I actually talked to a girl :(

Food for thought. (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6701737)

Maybe the RIAA could use one of these clones to scan peoples hard drives and return illegal music.

PS. We should all listen to Microsoft and apply the security patch that should've been in the original release of Windows.

Come on Billy, fix your software!

Phew (4, Funny)

tarquin_fim_bim (649994) | more than 11 years ago | (#6701742)

"All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update."

Guess they were just damned lucky there.

Re:Phew (0)

Anonymous Coward | more than 11 years ago | (#6701784)

So what are you implying? I'm sure Kaspersky will deny all responsibility.

Re:Phew (2, Informative)

Satan's Librarian (581495) | more than 11 years ago | (#6701891)

If past performance is any indication, it's because Kaspersky takes multiple strings from harder to modify areas and also supports wildcards - the guy who started it (Eugene Kaspersky) is a badass at assembler and has generally produced some of the best virus analysis in the industry. I use and recommend F-Secure [datafellows.com] , which uses a combination of his engine and Fridrik Skulason's for scanning - that way you get the advantage of having two sets of seperately picked virus signatures plus different heuristical scanning methods.

Aside from a few stability issues that took them bloody forever to work out on 2K (BSOD's once a week for a few months on my box as a result) - it's been a great product for years. I've gotten to laugh at the people using McAfee's and Norton's several times and say 'I told you so' when they got hit

Unfortunately - I think they have the price for the personal edition set too high, and can't market in the U.S. for shit.

If we're lucky... (4, Funny)

Black Parrot (19622) | more than 11 years ago | (#6701750)


If we're lucky the power will be out and the worms won't be able to carry out their attack.

Copycats (1)

interiot (50685) | more than 11 years ago | (#6701752)

Nothing really changed other than the exe filenames and registry keys as far as I know. It doesn't even look like updated functionality from the author, just copycats.

Re:Copycats (1)

slithytove (73811) | more than 11 years ago | (#6701816)

The executable compression scheme used has changed too, as the article states.
They also state that their software detects both without an update. Thats interesting- I always figured (and never bothered to educate myself and discover otherwise) that virus definitions were less flexible than that- like md5 sums or something. Or is Kaspersky ahead of the game?

Re:Copycats (1)

bhtooefr (649901) | more than 11 years ago | (#6701858)

Heuristics. Note that it DETECTS both. A program intentionally crashing RPC is a virus-like activity according to the Kaspersky engine. Or so I think.

Re:Copycats (0)

Genghis Troll (158585) | more than 11 years ago | (#6701926)

Virus detection is a lot more involved than md5 sums. Check out Viruses Revealed [sherpasoft.org.uk] for a good introduction (can be got cheaply on half.com and similar overstock sites).

Re:Copycats (1)

Satan's Librarian (581495) | more than 11 years ago | (#6701940)

A lot of antivirus packages have been able to 'see through' lousy encryption schemes and packing techniques for a long time. The polymorphic viruses (viruses with a pseudo-random encryptor/decryptor around them) and high level language viruses forced that back in the early 90's. A few have pretty serious processor emulation built in for heuristics to detect unknown viruses, although others use code signatures for the same purpose.

Most of the good AV packages do perform a hash of some sort on the unchanging parts of the virus to make sure it is the exact same one as their sample as a final check - otherwise disinfection can be dangerous depending on what has changed, and a huge percentage of the viruses out there are simple hacks of others. Misidentification can be really bad if something like an encryption key protecting original data from the program is changed.

The Internet is not Secure (3, Insightful)

blair1q (305137) | more than 11 years ago | (#6701756)

How many times do people need to be told this?

Well some are safe from it... (5, Funny)

3seas (184403) | more than 11 years ago | (#6701770)

Those in the US north east and south east Canada.....

MS Worm & Power Cuts (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6701771)

OK you'd have to be a cyber terrorism nut to believe the power blackouts were caused by the virus but some friends at Con-Ed have told me the virus isn't totally innocent, apparently the trouble ticketing / work management system some of the affected power companies are using is running on a load of windows servers and not all of them managed to get patched in time. So the recovery operation is being hampered a bit by the worm.
And I thought those guys were just exagerrating things.

Re:MS Worm & Power Cuts (1)

szyzyg (7313) | more than 11 years ago | (#6701788)

Wow! At last a worm / power cut link that actually makes sense, what's the bets on Con-Ed moving over to linux in the near future?

Re:MS Worm & Power Cuts (0)

Anonymous Coward | more than 11 years ago | (#6701943)

They probably won't. I bet hired a bunch of cheap MCSE's who don't know anything else.

News Flash (5, Funny)

ReyTFox (676839) | more than 11 years ago | (#6701778)

SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.

Re: News Flash (1)

Black Parrot (19622) | more than 11 years ago | (#6701968)


> SCO declares that it holds the copyrights to LoveSan and demands that all clones pay a $1500 licensing fee.

Actually you only have to pay the fee if you run it on Linux.

New Energy Industry version (1)

Un pobre guey (593801) | more than 11 years ago | (#6701780)

The new version targets power generating stations running Win2k and leaves the following line in the event log:

The Continue Generating Power For Most Of North America Server service failed to start due to the following error: The system cannot find the file specified.

I hope this new version runs under WINE (1, Funny)

Anonymous Coward | more than 11 years ago | (#6701792)

I am feeling left out. That worm is striking everything. Please, worm writers, try it out under WINE (http://www.winehq.org) before you release that worm. Better yet, write your worms in something cross-platform like Java. Oh wait, java doesn't have buffer so you can't do buffer overflows so most worms won't work. Never mind.

Re:I hope this new version runs under WINE (4, Funny)

ihummel (154369) | more than 11 years ago | (#6701953)

We at CodeWeavers are proud to announce our new product: Crossover Blaster. This new piece of software for the Linux operating system will provide the same quality that you've come to expect from Crossover Office, but this time with the very popular Blaster worm (known to some as LovSan). It will even work with clones of the worm.

Finally, all the Linux users who have felt left out can participate in the reboot fun. It is a bargain for $50. See www.crossoverblaster.devnull for more details.


Disclaimer: I do not work for CodeWeaver. My views are purely my own.

close to being /.ed (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6701797)

Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovescan worm (also know as "Blaster").

Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovescan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovescan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer37" worm.

Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKS.EXE instead of MSBLAST.EXE), a different method of code compression (UPX instead of RMA), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovescan", without requiring an update.

Blaster.B and Blaster.C (4, Informative)

SimplexO (537908) | more than 11 years ago | (#6701803)

This post is about what Symantec [sarc.com] calls W32.Blaster.C.Worm [sarc.com] . Don't forget that there is also a W32.Blaster.B.Worm [sarc.com] .

B:
Adds the value:
"windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


C:
Adds the value:
"Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.

slashcode (0)

Anonymous Coward | more than 11 years ago | (#6701851)

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

why does slashcode add random spaces in long lines

Re:slashcode (0)

Anonymous Coward | more than 11 years ago | (#6701958)

so trolls cant post page-widening posts. If you post a long string with no spaces, itll stay on 1 line and make the browser window really wide so you have to scroll. So slashdot breaks every 80 characters or so

How much you wanna bet... (1)

xxltjx (696780) | more than 11 years ago | (#6701809)

...that half of the people who were affected with slammer STILL havent patched their systems?

Re:How much you wanna bet... (1)

xxltjx (696780) | more than 11 years ago | (#6701845)

Gah, I meant Blaster. Sue me. The power outages scare me. :-p

Not as big of deal as you think (2, Insightful)

sgtsanity (568914) | more than 11 years ago | (#6701810)

This uses the same vulnerability as before. Which means that if you were hit by but recovered from blaster, you'll be safe from this one. That said, this is a more virulent form, and will screw over unprotected networks even faster. But it won't be nearly as damaging as the original. This is just an example of an anti-virus software producer hyping up a virus to sell their product.

bleh (2, Interesting)

Solikawa (604301) | more than 11 years ago | (#6701829)

I think it's funny that I've had the patch since it's been out and almost everybody in the US doesn't have their boxes patched. It kinda pisses me off though, that M$ is not getting blamed for having the vulerability. Yes, nobody is perfect, I'm sure Linux and MacOS have exploits that can do the same things, except they don't make $498,324,059,872,309 a minute. The world needs to realise thats all bill wants to do: make money from idiots

Re:bleh (1)

bigjnsa500 (575392) | more than 11 years ago | (#6701871)

Do you really expect Ma and Pa Kettle to have their systems patched? When was the last time you tried to download 57 Critical Updates and 4 Service Packs with a dialup connection from a stock Win2k/XP install with each requiring a reboot?

Re:bleh (1)

bhtooefr (649901) | more than 11 years ago | (#6701877)

Ummm... did you read the stuff in the worm? It went something like "Billy Gates why do you make this possible? Stop making money and fix your software!" The AUTHOR is blaming MS.

MS Releases Network Scanning Tool (5, Informative)

MacrosTheBlack (169299) | more than 11 years ago | (#6701842)

Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download [microsoft.com]
Network admins have fun.

Re:MS Releases Network Scanning Tool (1, Informative)

MacrosTheBlack (169299) | more than 11 years ago | (#6701860)

Oops, to clarify, the tool allows scanning for machines with & without the patch. Have fun.

Re:MS Releases Network Scanning Tool (1)

MacrosTheBlack (169299) | more than 11 years ago | (#6701938)

I know this is going to get flamebait or troll but fuck it!

How can the parent comment be overrated? It's a comment on a scanner for the patch to the virus that the article is about. & the followup is redundant? Fuck that!

Who ever is the moderator needs to get a clue. Preferably with a 2x4. Pity I can't use my mod points on an article I comment on.

Icon (-1, Troll)

Keebler71 (520908) | more than 11 years ago | (#6701847)

When was the Icon for MS stories changed from the Gates-borg to this four-colored tile thing? (is there a name for it). As funny as it was, I was wondering when it was gonna be changed... could this have anything to do with the recent poll on zealots?

Re:Icon (1)

bhtooefr (649901) | more than 11 years ago | (#6701904)

The Gates-borg still exists. http://slashdot.org/topics.shtml scroll down to the Ms. It's in the far left column. The four-color thing is for Windows.

the average user reaction... (2, Interesting)

mraymer (516227) | more than 11 years ago | (#6701861)

First, let me say that in Soviet Russia, the file sends YOU to have MY advice!

Yeah that sucked. Anyway, I find it interesting to note the common public reactions to these outbreaks of exploits.

For example, this link [cnn.com] shows a CNN poll where "Doing Nothing" about the worm is tied with "already downloaded a patch" -- this is kind of interesting, since CNN would be a more "general user" audience than tech savvy folk here.

I wonder why no one seems to really care about computer security until it hits them with data loss, or worse.

Patches and backups are things people always promise to do "later" -- and, luckily for data recovery companies, later seldom comes.

I'm sure many people here have done voluntary tech support for friends and family. What do you find to be the most frequent problems? Would you trace them to user negligence, or Microsoft software, or perhaps a combination of the two? Perhaps it's some other factor, such as the "dumbing-down" of computers by the media leading to common misconceptions?

Sometimes, as reports of Windows exploits become a daily news item, I often wonder when people will, en masse, decide they've simply had enough and switch?

Re:the average user reaction... (1)

bigjnsa500 (575392) | more than 11 years ago | (#6701916)

Good point. Being the only computer savy person in my family I get the calls on a frequent basis. The other day, I had to *fix* the laptop I gave my father because it was infected. He is the type of person who is only online long enough to check his email. To have his laptop infected by this worm in that short amount of time is dumbfounding.

Luckily I have a good network at work and completely updated/patched his laptop in about 2 hours (thanks to windowsupdate being so friggin slow).

SCO announcement (3, Funny)

thanjee (263266) | more than 11 years ago | (#6701863)

Lovsan is a proprietry product of SCO. All users who are running Lovsan on their computers without a lisense will face charges of $5,000.
Lisensing fees start at $699 for home users.

Re:SCO announcement (0)

Anonymous Coward | more than 11 years ago | (#6701942)

Is that supposed to be funny?

a deep dark thought.... (4, Interesting)

ecalkin (468811) | more than 11 years ago | (#6701874)

i was wondering about the motivations of the person(s) that wrote this. they seemed to have a mad-on against microsoft. what seemed weird was that if this had been a 'quiet' worm that spread, there would have been a lot more machines that were infected on dday. ms being hit by a large number of zombies and having to *beg* people to clean up their systems would have been pretty funny.

i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story?

somethings smells here.

eric

Re: a deep dark thought.... (5, Interesting)

Black Parrot (19622) | more than 11 years ago | (#6701990)


> i saw the news about the second (and third) versions and i just wondered if these (all three) we just a distraction. i wonder how many people looked for an awfully obvious process and if they did't see it, well, that was the end of the story? somethings smells here.

I've always wondered whether someone planning a criminal break-in somewhere might not release a virus as a cover, so that the victim would shrug off any anomalies on their system as side effects of the virus, and think the virus fix was end-of-story.

Create a worm that patches the vulnerability? (2, Interesting)

Larthallor (623891) | more than 11 years ago | (#6701881)

I'm surprised someone doesn't write a worm to patch the vulnerability and clean the system, if already compromised. After all, if you don't mind leaving yourself open to attack by a malicious worm, how can you complain about getting repaired by one that is beneficial?

Re:Create a worm that patches the vulnerability? (0)

Anonymous Coward | more than 11 years ago | (#6701915)

Because.. a person who writes a malicious worm is doing wrong and knows it, and just doesnt care. A person who makes a worm to fix the exploit, while doing a good deed, can still get in trouble.. What if the patch screws up and totally crashes some companies computer and causes them to lose important data? They'll sue this guy. Good guys dont want to get in trouble, the bad guys dont care

Re:Create a worm that patches the vulnerability? (0)

Anonymous Coward | more than 11 years ago | (#6701928)

One has already been written.

Re:Create a worm that patches the vulnerability? (1)

Satan's Librarian (581495) | more than 11 years ago | (#6701992)

Probably a troll - but a really *bad* idea. It's been done in the past. Problem being - the follow up virus caused more damage than the original, and infected a lot of uninfected user's machines. In the worm world (worm = nonparasitic network-based), it would still cause heavy traffic with the scans, even if it didn't infect anyone but already infected machines.

Ever written a complex low-level program that ran on millions of machines without a single user ever finding a bug in it? printf("Hello world!"); doesn't count.

If you want to go vigilante - write a nice happy non-replicating program that scans everyone's PC on the net and fixes the problem. I wouldn't recommend this from a legal standpoint though.

I hope they find them (-1, Troll)

DorkHead (696720) | more than 11 years ago | (#6701892)

I hope they find the criminal(s) that releases these viruses and punish them really, really hard.
I think the time has come to set a very, very BIG example here.
I know this is Slashdot and that this virus is attacking the reputation of the Big Evil(tm)
, and that Microsoft should do a lot more to fix things, but there has never been a 100% secure operating system that has been run by more than 1 person.
If (When?) Linux/FreeBSD/etc had been run by every average guy in the street,
ofcourse the same thing would happen to those systems. The patch for this virus has been out for what, a month or so now?
And people still haven't patched their systems. Heck, I know people who have NEVER patched their systems, they don't even know what it is!
So yes, people should update their operating systems and so on and so forth, but by The Big Man In The Sky I hope they catch the releasers of these viruses and punish them really, really hard to set an example.
Breaking into other people/buisinesses' systems is considered a felony in most countries and this is breaking into possibly millions of systems,
so I hope the punishment will fit this crime.
It doesn't even take very much skill to even write a virus like this since someone else has already told you how to do it on BugTraq.

Great. Just great. (1)

Telecommando (513768) | more than 11 years ago | (#6701919)

We're gonna get 'wormed' again.

I spent the better part of today patching systems for (l)users that couldn't patch their systems themselves and the rest of the day I spent fixing machines that hung when they rebooted after the patch.

I guess I know what I'll be doing tomorrow.

Benevolent Virii (4, Interesting)

pavon (30274) | more than 11 years ago | (#6701920)

You know here's an cool idea, seeing as the biggest problem with virii is that people don't keep their systems up-to-date.

When someone finds out about an exploit, they tell the company about it (aka MS) and give them time to come up with a patch. Then after sufficient time has passed for security concience people to patch their systems, a virus is released that takes advantage of the exploit to either inform the user that their system is vulnerable and that they should install the patch, or simply install the patch for them.

Alot of times it seems to take a big attack for busy system admins to roll out a system wide update. I have talked to people whose work computers have been hit pretty hard by virii and I just wonder what would have happened had they been hit by a truely malicious virus, not just these annoying but easily recoverable ones. It scares me.

culpability (5, Interesting)

negacao (522115) | more than 11 years ago | (#6701923)

This is getting extremely annoying - I'm still getting hits daily from Code Red & Nimda. I'd like to personally line up each person who hasn't patched thier system and slap them.

Along with the idiots at microsoft who don't make updates for IIS available though windowsupdate. (in my experience, ymmv.) C'mon, it's shipped with the OS, you've got automatic updates on by default, so make them patch the goddamn webserver.

who came up with "lovesan"? (1, Redundant)

0111 1110 (518466) | more than 11 years ago | (#6701934)

I'm just trying to figure out who or what came up with the name "LoveSan" and why? variations on "blaster" make sense because the name of the original executable was wblaster.exe and the intention was obviously to "blast" windows update or unpatched windows users or microsoft or whatever, but "LoveSan"? Am I missing something here?

Re:who came up with "lovesan"? (2, Informative)

MacrosTheBlack (169299) | more than 11 years ago | (#6701956)

A text string in the virus says "love you san". There's also one having a go at "billy gates".

Re:who came up with "lovesan"? (1)

BradleyUffner (103496) | more than 11 years ago | (#6701978)

Yes, you are missing something... The original virus contians the sring "I love you San" or something to that effect, I can't remember the exact text. It is never actually displayed by the virus, but it's contained in the executable.

Buzzz. Zz. (zee) (0, Offtopic)

FofR (697088) | more than 11 years ago | (#6701944)

This all gives me a buzz. I think I am quite sad. Maybe pathetic is a better word.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?